A New Beginning for Election Security Journeys

In March 2018, the Center for Internet Security (CIS) published A Handbook for Election Infrastructure Security. The purpose of the Handbook was to provide election officials with clear and concise guidance from a recognized leader in cybersecurity.

We're excited to announce that we've rewritten this publication ahead of the 2022 midterm elections. Our Essential Guide to Election Security addresses the most recent threats and technology impacting the election landscape. It is now available for download.

A Shifting Landscape for Election Offices

When the Handbook came out, there was no Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) or related services, so we decided to release an update. While thinking about this process, we observed a number of opportunities to incorporate improvements.

First, we realized that the original Handbook provided best practices but not any recommendations around implementing those measures. That's a problem – particularly for election entities that don’t have full IT or security teams. Indeed, the CIS Critical Security Controls (CIS Controls) and NIST SP 800-53 might be difficult for some elections offices to implement on their own. We recognized an opportunity to provide something concise – something that covered important things to help these organizations establish a journey towards improved security.

Second, we saw a need for the Essential Guide to consider some of the new challenges confronting elections offices. Chief among these obstacles is effectively managing mis-, dis-, and malinformation so that constituents understand the truth of how elections actually work. We also noted a need to address an increase in physical threats, intimidation, and doxing that has confronted election officials in recent years.

How the Essential Guide Came Together

To put our new Essential Guide together, we started by working with the election community. We engaged every member of EI-ISAC and invited them to join a volunteer group so that they could provide input on what the Essential Guide should look. Ultimately, about 25 organizations representing a combination of vendors and members decided to help out.

We held our first working group session in September 2021. This meeting gave us an opportunity to work through the challenges we had identified earlier. We knew we needed to include actionable guidance that supports election offices and their resources. We also resolved to not produce an Essential Guide that would be outdated each year.

From this standpoint, we decided to build a new platform and processes around creating this type of Guide. Doing so necessitated that we temporarily put writing aside. After we constructed the platform, resumed our writing, and produced a draft, we shared a pre-release version with the working group and the EI-ISAC Executive Committee along with a few other individuals and cybersecurity experts within CIS. We then took the feedback we received and made updates over the course of the next several months.

So What’s Inside the Guide?

Significantly, the Essential Guide to Election Security meets election offices where they are with prioritized best practices based on data of attacks that have occurred in the real world. It breaks down recommendations, which are based on CIS Community Defense Model (CDM) v2.0, into three levels so everyone from beginners to experts can find guidance that fits their jurisdictions. This makes the Essential Guide relevant to protecting against real-world attacks including physical security threats, intimidation, and doxing.

Additionally, the Essential Guide includes three levels of maturity. Not all election offices have the same resources or technical capabilities, so we needed to find a way to give guidance that meets the officials where they are. By including different maturity levels, the Essential Guide gives election officials different paths of implementation for any given best practice.

Let's use asset management as an example. Maturity Level 1 requires that entities maintain proper records of their assets throughout their lifecycle, know the physical location of their hardware, conduct maintenance on those assets, as well as protect them from loss, theft, and tampering. Meanwhile, Maturity Levels 2 and 3 take these efforts further, requiring election offices to maintain digital inventory records, apply asset tags, use software tools to discover physical devices on their networks, and leverage allowlist software to prevent the installation of unwanted software.

Next, we designed the Essential Guide to Election Security to be a living document. We opted to make it available on GitHub and Read the Docs so that we can make revisions quickly. This will help to ensure that the Essential Guide remains relevant to the latest technology used by election offices and the threats facing them.

Finally, the Essential Guide explains how organizations with limited technical capabilities and resources can strengthen their cybersecurity posture. It uses plain language to emphasize the use of easy-to-implement, free resources. Vendors and organizations of higher maturity can also find those recommendations useful.

A More Mature Take on Elections Security

Cybersecurity awareness among elections offices in all types of jurisdictions has matured significantly in recent years such that we can now give detailed security guidance and see consistently meaningful adoption. This Essential Guide makes these recommendations useful for small jurisdictions, enabling them to make incremental security improvements ahead of the 2022 mid-term elections – and for election cycles to come.